Vulnerability CVE-2016-6564


Published: 2018-07-13   Modified: 2018-07-14

Description:
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
XOLO -> Cube 5.0 firmware 
Leagoo -> Lead 3i firmware 
Leagoo -> Lead 5 firmware 
Leagoo -> Lead 6 firmware 
Leagoo -> Alfa 6 firmware 
Leagoo -> Lead 2s firmware 
Infinixauthority -> Hot 2 x510 firmware 
Infinixauthority -> Hot x507 firmware 
Infinixauthority -> Zero 2 x509 firmware 
Infinixauthority -> Zero x506 firmware 
Iku-mobile -> Colorful k45i firmware 
Doogee -> Voyager 2 dg310i firmware 
Bluproducts -> Studio 6.0 hd firmware 
Bluproducts -> Studio c hd firmware 
Bluproducts -> Studio g firmware 
Bluproducts -> Studio g plus firmware 
Bluproducts -> Studio x firmware 
Bluproducts -> Studio x plus firmware 
Beeline -> Pro 2 firmware 

 References:
https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
https://www.kb.cert.org/vuls/id/624539
https://www.securityfocus.com/bid/94393/

Copyright 2021, cxsecurity.com

 

Back to Top